Rapid7 Vulnerability & Exploit Database

Microsoft IIS 4.0/5.0 Malformed Filename Request Vulnerability

Back to Search

Microsoft IIS 4.0/5.0 Malformed Filename Request Vulnerability

Severity
8
CVSS
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
Published
05/11/2000
Created
07/25/2018
Added
11/01/2004
Modified
03/21/2018

Description

Requesting a known filename with the extension replaced with .htr preceeded by approximately 230 "%20" (which is an escaped character that represents a space) from Microsoft IIS 4.0/5.0 will cause the server to retrieve the file and its contents. This is due to the .htr file extension being mapped to ISM.DLL ISAPI application which redirects .htr file requests to ISM.DLL. ISM.DLL removes the extraneous "%20" and replaces .htr with the proper filename extension and reveals the source of the file. This vulnerability is similar to a more recently discovered variant, BugTraq ID 1488.

This action can only be performed if a .htr request has not been previously made or if ISM.DLL is loaded into memory for the first time. If an .htr request has already been made, a restart of the web server is necessary in order to perform another.

Solution(s)

  • install-microsoft-patch-48a6d7e7a02c1e216d74f78177e59b1e
  • install-microsoft-patch-02c274d365f8451193b83b735036cfe8

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;